Cisco IOS CVE-2008-4128: KEV-listed HTTP Administration CSRF command execution

Suspected
Discovered Jul 13, 2026

CISA added CVE-2008-4128 to KEV on 2026-07-13. The issue affects Cisco IOS 12.4 HTTP Administration on Cisco 871 ISR devices, where cross-site requests can reach level-15 command URIs.

1
Affected Packages
6
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
cisco-ios
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
alias exec
/level/15/exec/-
/level/15/exec/-/configure/http
/level/15/exec/-
/level/15/exec/-/configure/http

Analysis

Executive Summary

CISA added CVE-2008-4128 to the Known Exploited Vulnerabilities catalog on 2026-07-13 and set a 2026-07-16 remediation due date [1]. CISA describes the issue as multiple cross-site request forgery vulnerabilities in Cisco IOS 12.4 that can allow remote attackers to execute arbitrary commands through level-15 HTTP Administration URIs [1].

NVD records the affected context as the HTTP Administration component in Cisco IOS 12.4 on the Cisco 871 Integrated Services Router. The two public request patterns named by NVD are a show privilege command to /level/15/exec/- and an alias exec command to /level/15/exec/-/configure/http [2]. Because exploitation depends on a browser/session path into an administrative HTTP interface, defenders should treat exposed or historically exposed IOS HTTP/HTTPS management as the scoping boundary, not every Cisco device in inventory.

Key Facts

CVE: CVE-2008-4128

Vendor: Cisco

Product: Cisco IOS

Known affected context: IOS 12.4 HTTP Administration on Cisco 871 Integrated Services Router [2]

KEV added: 2026-07-13 [1]

KEV due date: 2026-07-16 [1]

Weakness: CWE-352 cross-site request forgery [1] [2]

Public request patterns for hunting:

  • /level/15/exec/-
  • /level/15/exec/-/configure/http
  • show privilege
  • alias exec

Affected/fixed version status: Cisco IOS 12.4 is identified as affected by CISA/NVD; exact fixed IOS train remains unknown_after_direct_source_review. CISA points agencies to Cisco's obsolete IOS 12.4 mainline lifecycle page rather than a current fixed-version matrix, so retirement or replacement should be the closure target for confirmed 12.4 exposure [1] [3].

Evidence Assessment

  • confirmed: CISA lists CVE-2008-4128 as known exploited, names Cisco IOS, assigns a 2026-07-16 due date, and recommends applying vendor mitigations under BOD 26-04 and the forensics triage requirements [1].
  • confirmed: NVD describes CSRF in Cisco IOS 12.4 HTTP Administration on Cisco 871 ISR devices and records the two level-15 URI/command patterns used as scope selectors in the attached hunt [2].
  • confirmed: NVD references public exploit entries and a July 2026 U.S. government router hygiene advisory as related evidence; the publication here does not reproduce exploit text and uses only selectors needed for defensive scoping [2] [4].
  • unknown: Current direct Cisco Security Center advisory text for this historical CVE was not recoverable during this run. The reachable Cisco source reviewed here is the obsolete IOS 12.4 mainline lifecycle page linked from CISA's KEV notes [3].
  • not observed: CISA/NVD did not provide attacker-controlled domains, IPs, hashes, malware filenames, victim names, or attribution in the reviewed sources [1] [2].

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseCisco IOS HTTP/HTTPS Administration logs, AAA accounting, or configuration archives show unexpected level-15 command activity using the named URI/command selectors.HTTP admin logs or exported telemetry, TACACS+/RADIUS command accounting, running/startup configuration snapshots, and UTC timeline.Preserve evidence, isolate management access, remove unauthorized configuration, and review privileged credentials/sessions.
Presumed exposedIOS 12.4/871 is present and HTTP/HTTPS server management was enabled or internet-accessible during the exposure window.Inventory, show version, `show running-configinclude ip http`, management ACLs, and AAA records.
Potentially exposedCisco IOS is present but version, model, or HTTP Administration exposure is incomplete.Version/model inventory and management-plane configuration.Collect missing inventory and management access evidence before closing.
Not exposedNo IOS 12.4/871 systems are present, or HTTP management was disabled/restricted and logs/config diffs are negative.Asset inventory, configuration evidence, log/accounting review.Archive closure package with timestamped evidence.
UnknownLogs, configuration archives, AAA accounting, or exact version data are missing.Named data gap with owner and retention window.Keep the device class in scope until the gap is closed.

Timeline

  • 2008-09-18: NVD publishes CVE-2008-4128 with Cisco IOS 12.4 HTTP Administration CSRF details [2].
  • 2026-07-09: A U.S. government router hygiene advisory is referenced by NVD as a related source for current exploited-router risk [4].
  • 2026-07-13: CISA adds CVE-2008-4128 to KEV with a 2026-07-16 due date [1].

Technical Analysis

This is a management-plane browser/session problem. The public description is not a supply-chain package compromise and does not identify a malware family; it is included because CISA newly listed active exploitation in KEV. The practical question is whether an attacker could cause an authenticated administrative browser/session to submit commands to IOS HTTP Administration, and whether that path was exposed on devices still running the obsolete 12.4 line [1] [2] [3].

The attached script searches exported inventories, logs, AAA accounting, and configuration archives for the CVE, Cisco IOS 12.4/871 selectors, and the two NVD-described URI/command strings. A match is not proof of compromise: it is a triage trigger that should lead to device-specific log review, configuration diffing, and command-accounting correlation.

Product-Specific IR Guidance

Evidence sources to collect:

  • show version output for Cisco IOS train, model, uptime, and image metadata.
  • show running-config and show startup-config, with secret handling controls.
  • show running-config | include ^ip http|^ip access-class|aaa|tacacs|radius or equivalent exported configuration evidence.
  • HTTP/HTTPS management access logs where available, reverse proxy/VPN logs, NetFlow, and management ACL change records.
  • TACACS+/RADIUS command accounting and authentication logs for administrative users.
  • Configuration archive diffs covering at least the CISA KEV addition date and any earlier exposure window identified by the owner.

Containment: disable IOS HTTP/HTTPS administration or restrict it to a trusted management network, remove internet exposure, preserve the current running/startup configuration before making changes, and snapshot AAA/accounting records with UTC timestamps.

Eradication and recovery: retire or replace obsolete IOS 12.4 systems where feasible. If emergency replacement is not immediate, remove unauthorized aliases or privilege/configuration changes only after evidence capture, rotate local administrative credentials if command accounting or configuration diffs suggest unauthorized use, and verify management ACLs from a clean administrative path.

Closure gates: keep a UTC timeline, hash exported evidence bundles, identify the storage owner, record the fixed/replaced version or explicit retirement plan, run a post-fix scan for the selectors, and monitor administrative command logs for at least one maintenance cycle after remediation.

Indicators of Compromise

No attacker-controlled domains, IP addresses, URLs, file hashes, or malware filenames were provided by CISA or NVD. The machine-readable IOC profile intentionally keeps network IOC arrays empty. Defensive selectors are source/product/hunt selectors: CVE-2008-4128, Cisco IOS 12.4, Cisco 871 Integrated Services Router, /level/15/exec/-, /level/15/exec/-/configure/http, show privilege, and alias exec.

Sources

Timeline

5 of 5 rows

Timeline
DateEventDescriptionSource
Jul 13, 2026First seenFirst seen recorded for Cisco IOS CVE-2008-4128: KEV-listed HTTP Administration CSRF command execution.cisco.com
Sep 18, 2008DiscoveryDiscovery recorded for Cisco IOS CVE-2008-4128: KEV-listed HTTP Administration CSRF command execution.cisco.com
Sep 18, 2008DisclosureDisclosure recorded for Cisco IOS CVE-2008-4128: KEV-listed HTTP Administration CSRF command execution.cisco.com
Invalid DatePatch or fixPatch or fix recorded for Cisco IOS CVE-2008-4128: KEV-listed HTTP Administration CSRF command execution.cisco.com
Jul 13, 2026Cisco IOS CVE-2008-4128: KEV-listed HTTP Administration CSRF command executionUnknowncisco.com

Affected Software

1 of 1 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
cisco-iosnetwork-device12.4 affected; fixed unknown_after_direct_source_review; 12.4 mainline obsoleteMalicious65%cisco.com; cisa.gov; media.defense.gov; nvd.nist.gov

IOC Clipboard

6 IOCs
commandalias exec
network_pattern/level/15/exec/-
command/level/15/exec/-/configure/http
command/level/15/exec/-
network_pattern/level/15/exec/-/configure/http
commandshow privilege

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Cisco IOS CVE-2008-4128 exposure and command-accounting scopePythonDo inventories, Cisco IOS HTTP Administration logs, AAA accounting exports, or configuration archives contain CVE-2008-4128 product selectors or the NVD-described level-15 URI and command strings?scripts/scope_cisco-ios-cve-2008-4128-kev.py opens in a new tabcisco.com

Hunt Manifest: Cisco IOS CVE-2008-4128 exposure and command-accounting scope

Title
Cisco IOS CVE-2008-4128 exposure and command-accounting scope
Question
Do inventories, Cisco IOS HTTP Administration logs, AAA accounting exports, or configuration archives contain CVE-2008-4128 product selectors or the NVD-described level-15 URI and command strings?
Telemetry Family
Python
Repository
scripts/scope_cisco-ios-cve-2008-4128-kev.py
Show tested hunting scriptscripts/scope_cisco-ios-cve-2008-4128-kev.py
scripts/scope_cisco-ios-cve-2008-4128-kev.py opens in a new tabPython
#!/usr/bin/env python3
"""Scope CVE-2008-4128 exposure from inventories and exported Cisco IOS telemetry.

Input: a directory containing CSV, JSON, JSONL, TXT, LOG, YAML, XML, config, or
AAA accounting exports. The script never contacts the network and does not run
untrusted code. It searches for the exact CVE, affected product/version selectors,
and the management-plane URI/command strings named by CISA/NVD.

Exit codes:
  0: no matches
  2: one or more selectors matched and review is required
  3: execution error
"""
from __future__ import annotations
import json, os, sys
from pathlib import Path
CVE_ID = "CVE-2008-4128"
VENDOR = "Cisco"
PRODUCT = "IOS"
AFFECTED_VERSION_SELECTORS = [
    "Cisco IOS 12.4",
    "IOS 12.4",
    "Cisco 871 Integrated Services Router",
    "871 Integrated Services Router",
    "cisco-ios 12.4 affected; fixed unknown_after_direct_source_review; 12.4 mainline obsolete",
]
SOURCE_SELECTORS = [
    "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
    "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2008-4128",
    "https://nvd.nist.gov/vuln/detail/CVE-2008-4128",
    "https://www.cisco.com/c/en/us/obsolete/ios-nx-os-software/cisco-ios-software-releases-12-4-mainline.html",
]
DOMAINS: list[str] = []
HASHES: list[str] = []
URLS: list[str] = []
FILES: list[str] = []
PROCESS_PATTERNS = [
    "/level/15/exec/-",
    "/level/15/exec/-/configure/http",
    "show privilege",
    "alias exec",
]
NETWORK_PATTERNS = [
    "/level/15/exec/-",
    "/level/15/exec/-/configure/http",
]
INDICATORS = [CVE_ID, *AFFECTED_VERSION_SELECTORS, *SOURCE_SELECTORS, *PROCESS_PATTERNS, *NETWORK_PATTERNS]
OUT = os.environ.get("OUT", "hp-cisco-ios-cve-2008-4128-kev-scope")
TEXT_SUFFIXES = {".csv", ".json", ".jsonl", ".txt", ".log", ".yaml", ".yml", ".xml", ".conf", ".ini", ".cfg", ".md"}
EXCLUDED_DIR_NAMES = {".git", "node_modules", "vendor", "dist", "__pycache__", ".venv"}
def read_text(path: Path) -> str:
    try:
        return path.read_text(encoding="utf-8", errors="ignore")
    except Exception:
        return ""
def iter_files(root: Path):
    if root.is_file():
        yield root; return
    for q in root.rglob("*"):
        if q.is_file() and not any(part in EXCLUDED_DIR_NAMES for part in q.parts):
            if not q.suffix or q.suffix.lower() in TEXT_SUFFIXES:
                yield q
def scan(root: Path):
    matches=[]; lowered=[s.lower() for s in INDICATORS if s]
    for path in iter_files(root):
        low=read_text(path).lower()
        hits=sorted({INDICATORS[i] for i,s in enumerate(lowered) if s in low})
        if hits:
            matches.append({"path": str(path), "hits": hits})
    return matches
def main(argv=None):
    argv=argv or sys.argv[1:]
    root=Path(argv[0]) if argv else Path(".")
    try:
        matches=scan(root)
        out_dir=Path(OUT); out_dir.mkdir(parents=True, exist_ok=True)
        report={"cve": CVE_ID, "vendor": VENDOR, "product": PRODUCT, "affected_version_selectors": AFFECTED_VERSION_SELECTORS, "source_selectors": SOURCE_SELECTORS, "match_count": len(matches), "matches": matches}
        (out_dir/"scope_report.json").write_text(json.dumps(report, indent=2), encoding="utf-8")
        print(json.dumps({"cve": CVE_ID, "match_count": len(matches), "report": str(out_dir/"scope_report.json")}, indent=2))
        return 2 if matches else 0
    except Exception as exc:
        print(json.dumps({"cve": CVE_ID, "error": str(exc)}), file=sys.stderr)
        return 3
if __name__ == "__main__":
    raise SystemExit(main())

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisco.comSecurity Researcher95%1CISA added CVE-2008-4128 to KEV on 2026-07-13. The issue affects Cisco IOS 12.4 HTTP Administration on Cisco 871 ISR devices, where cross-site requests can reach level-15 command URIs.
cisa.govVendor95%2CISA added CVE-2008-4128 to KEV on 2026-07-13. The issue affects Cisco IOS 12.4 HTTP Administration on Cisco 871 ISR devices, where cross-site requests can reach level-15 command URIs.
media.defense.govOther80%1CISA added CVE-2008-4128 to KEV on 2026-07-13. The issue affects Cisco IOS 12.4 HTTP Administration on Cisco 871 ISR devices, where cross-site requests can reach level-15 command URIs.
nvd.nist.govSecurity Researcher95%1CISA added CVE-2008-4128 to KEV on 2026-07-13. The issue affects Cisco IOS 12.4 HTTP Administration on Cisco 871 ISR devices, where cross-site requests can reach level-15 command URIs.